12.
#engageug
Inheritance
• Inherit
• Plays an important role in parent-child policy hierarchy
• A top level organisational policy is always a parent policy
• Inherits setting from parent policy irrespective of the
setting made in child policy
!12

13.
#engageug
Enforcement
• Enforce
• Plays an important role in parent-child policy hierarchy
• Any setting with enforce checkbox ticked in parent policy
will be enforced in child policy
!13

14.
#engageug
Policy Precedence
Determine the effective policy
• An example. For example a user is assigned three security
settings through three different policies. Explicit, Dynamic
and Organizational with below settings
• The resultant effective policy would be
!14
Required
Change Interval
Assigned Vault Warning Period Allowed Grace
Period
Explicit 120 Days Don't Set Don't Set 120 Days
Dynamic Don't Set ExecutiveVault Don't Set Don't Set
Organizational 90 Days NA 14 Days 90 Days
Required
Change Interval
Assigned Vault Warning Period Allowed Grace
Period
Effective Policy 120 Days ExecutiveVault 14 Days 120 Days

15.
#engageug
Policy Precedence (2)
• If Inherit/Enforce is used in settings document in previous
example
!
• The resultant effective policy would be
!15
Required
Change Interval
Assigned Vault Warning Period Allowed Grace
Period
Explicit 120 Days Don't Set Don't Set 120 Days
Inherit
Dynamic Don't Set ExecutiveVault Don't Set Don't Set
Organizational 90 Days Enforce NA 14 Days 90 Days
Required
Change Interval
Assigned Vault Warning Period Allowed Grace
Period
Effective Policy 90 Days ExecutiveVault 14 Days 90 Days

18.
#engageug
Client-side policies
• How does a client pull policies from server and update them?
!
!
!
!
!
!
• Client Sends hash value of policy information to server
during authentication with user's home server
• Server calculates similar hash value that client should have
and compares if it matches with what client provided
• If it’s not matching then server tells client to refresh the policy
!18
Server
Client
Server tell client to refresh
policy information
Hash value for policy
information

19.
#engageug
Where are client policies stored
• In your Contacts (aka Personal Address Book)
• Dynamic Client Configuration(Ndyncfg.exe) uses
NAMEGetPolicy API, which asks the server to calculate the
effective policy for the user
• Then stores the effective policies locally in the client's
NAMES.NSF database
• Cached policy documents are stored in hidden ($Policies)
view (via Ctrl+Shift ViewGo To) in local NAMES.NSF
• New hashed value received from server are stored by
ndyncfg and sent back to server during next authentication,
starting whole process again
!19

21.
#engageug
Dynamic Client Configuration (DCC)
• DCC is the process that synchronizes local Notes Client
settings with the user profile stored on the Domino Server
• Actual program name: ndyncfg
• Used to run once per day on the first authentication
• In version 6.5.5 and higher changed to run on each
authentication
• Can be run manually. Needs to be run with an option. Any
option...
• ndyncfg /?
• For DCC logging add these parameters to the client
Notes.ini.
DEBUG_DYNCONFIG=1
!21

25.
#engageug
Troubleshooting
• Problem:
You have rolled out a policy, but it’s not working for the users
!
• Problem Determination:
• Is the policy failing for all users or just some users?
• In case of single users it’s probably a local problem
• Check Policy synopsis if the users are supposed to
receive the policy
• Are the affected users on the same server?
• Problem with policies view index?
Load updall -t ($Policies) names.nsf -R
!25

27.
#engageug
Troubleshooting (2)
• Problem Determination
• Where is the policy suposed to be implemented? Server
(mail, traveler, archive) or client (rest)
• In case of server, does the mailfile have the proper
Owner in the calendar profile?
• Remember, AdminP processes the policies every 12
hours
• In case of client, delete policy documents from local
names. Run ndyncfg /?. Did policy documents reappear?
Does problem persist?
• If policy documents didn’t reappear
!27

28.
#engageug
Troubleshooting - When all else fails
• Debug Parameters
DEBUG_POLICY=1
• Also enable console_log_enabled=1
Used for general troubleshooting
Enable the debug and force the policy to be updated
Contact support and provide console.log for review
You can also set this debug with value 2 or 4 for verbose
logging Can be enabled on client as well as on server
• Other parameter like
Debug_DynConfig,DEBUG_DUMP_POLICY=1 and
DEBUG_POLICY_SIGNBIT=1 can be enabled based on
type of problem a console.log needs to be collected for
further review
!28